1 / 33

Stream Cipher

Stream Cipher. Introduction Pseudorandomness LFSR Design Refer to “Handbook of Applied Cryptography” [Ch 5 & 6]. Stream Cipher. Introduction Originate from one-time pad bit-by-bit Exor with pt and key stream (c i = m i  z i ) Encryption = Decryption --> Symmetric

rae-beard
Download Presentation

Stream Cipher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stream Cipher • Introduction • Pseudorandomness • LFSR • Design • Refer to “Handbook of Applied Cryptography” [Ch 5 & 6]

  2. Stream Cipher Introduction Originate from one-time pad bit-by-bit Exor with pt and key stream (ci = mi  zi) Encryption = Decryption --> Symmetric Use LFSR (Linear Feedback Shift Register) (external) Synchronous or self-synchronous Properties Faster and Low Complexity in H/W Security measure : Period of key stream, LC(Linear Complexity), Statistical properties Vast amounts of theoretical knowledge Proprietary and Confidential for Military

  3. Sequence • Def) • s=s0,s1,… : infinite seq., • sn=s0,s1,…,sn-1:n term of s • if si= si+n for all i >=0, s is periodic seq. having period n. • run : subsequence of consecutive ‘0’(gap) or consecutive ‘1’(block)

  4. Pseudorandomness

  5. Golomb’s postulates(I) sN : periodic seq. of period N • For a cycle of sN, 0~1 balanceness, i.e, | #{si=1} - #{sj=0} | =<1 (2) For a cycle of sN, half the runs have length 1, 1/4 have the length 2, …, etc. (3) Autocorrelation* function is two-valued * Measuring similarity between original and t-shifted sequences ** A sequence satisfying them is called Pseudo-Noise(PN) sequence.

  6. Golomb’s postulates(II) (Ex) s15 = 0,1,1,0,0,1,0,0,0,1,1,1,1,0,1 (1) #{0} = 7, #{1}=8 (why ?) (2) 8 runs, 4 runs with length 1 (2 gaps, 2 blocks), 2 runs with length 2 (1 gap, 1 block), 1 run with length 3 (1 gap), 1 run with length 4 (1 block) (3) Autocorrelation function, C(0)=1, C(t)= -1/15 Thus, PN-seq.

  7. Statistical Randomness • Five Basic Tests • Frequency Test (monobit) • Serial Test (twobit; Overlapping is allowed) • Poker Test (Frequency of m-bit subsequences) • Runs Test • Autocorrelation Test • Others • Spectral Test • Linear Complexity Profile • Quadratic Complexity • Universal Test

  8. Statistical Test by FIPS 140-1 For a given 20,000bit sample seq. (I) monobit test : The number of ‘1’=n1, 9,654 < n1 < 10,346 (2) poker test : m=4, 1.03 < X3 < 57.4 (3) runs test : for length 1  i  6 (4) long run test : no run greater than 34

  9. LFSR

  10. Output Stage 2 Stage 1 Stage 3 Stage 0 D3 Notation of LFSR • Notation: < L, C[D]> where connection poly. C[D] = 1 + c1D + c2D2 + …+cLDL Z2[D] • If cL=1, {i.e., deg{C[D]}=L}, C[D] is called a nonsingular polynomial. • If initial stage is [sL-1, … , s1,s0], output seq. s0,s1, … sj = (c1s j-1 + c 2 s j-2 + … + c Ls j-L) mod 2 , j  L (Ex) <4, 1 + D + D4> , 0 = [0,1,1,0]  s4=s3+s0 • Finite State Machine t D3 D2 D1 D0t D3 D2 D1 D0 0 0 1 1 0 (6) 8 1 1 1 0 (14) 1 0 0 1 1 (3) 9 1 1 1 1 (15) 2 1 0 0 1 (9) 10 0 1 1 1 (7) 3 0 1 0 0 (4) 11 1 0 1 1 (11) 4 0 0 1 0 (2) 12 0 1 0 1 (5) 5 0 0 0 1 (1) 13 1 0 1 0 (10) 6 1 0 0 0 (8) 14 1 1 0 1 (13) 7 1 1 0 0 (12) 15 0 1 1 0 (6) Output seq. = 0,1,1,0,0,1,0,0,0,1,1,1,1,0,1,0 D2 D1 D0

  11. Properties of m-LFSR(I) • The period of the sequence from LFSR divides 2L-1 • A polynomial f(x) is called a primitive polynomial if f(x) | xk-1 for k=2L-1 not for smaller k • # of monic primitive poly =(2m-1)/m in Z2[x] where  is Euler-phi ft. • If the connection polynomial is primitive, the period is 2L-1 • Such sequence is called Maximum-length Shift Register Seq., M –seq. and LFSR is called m-LFSR.

  12. m k(k1,k2,k3) m k(k1,k2,k3) m k(k1,k2,k3) m k(k1,k2,k3) 2 3 4 5 6 7 8 9 10 11 1 1 1 2 1 1 6,5,1 4 3 2 12 13 14 15 16 17 18 19 20 21 7,4,3 4,3,1 12,11,1 1 5,3,2 3 7 6,5,1 3 2 22 23 24 25 26 27 28 29 30 31 1 5 4,3,1 3 8,7,1 8,7,1 3 2 16,15,1 3 32 33 34 35 36 37 38 39 40 41 28,27,1 13 15,14,1 2 11 12,10,2 6,5,1 421,19,2 3 Primitive Polynomials Primitive polynomial over Z2: • xm+xk+1(trinomial) • xm + xk1+xk2+xk3+1(pentanomial)

  13. Properties of LFSR(II) • Well suited for H/W implementation • Produce seq. of large period • Good statistical properties • Readily analyzed by algebraic structure • Breakable by consecutive 2 * L sequence : depends on computing an inverse matrix whose complexity is O(L3), L : length of LFSR.one LFSR is useless.

  14. Linear Complexity(I) • (Def) Given an infinite sequence s, the shortest length of LFSR’s that generate s is called Linear Complexity • Using Berlekamp-Massey algorithm, LC is computed • (Properties of LC) s,t : binary seq. • For any n 1, 0  L(sn)  n • L(sn) =0 iff sn is ‘0’ seq. of length n. • L(sn) =n iff sn=0,0,…,0,1. • If s is periodic with period N, L(sn)  N. • L(st)  L(s) + L(t)

  15. Linear Complexity(II) • sn : random seq. from all seq. of length n • Expectation value of LC where B(n)=0 if even n, otherwise 0 For large n E(L(sn))  n/2 + 2/9 and Var(L(sn))  86/81 • (Def) LCP (Linear Complexity Profile) DenoteLN is LC of sN=s0,s1,…sN-1, L1, L2, … LN is LCP

  16. Nonlinear FSR f ( s j-1, s j-2, …, s j-L) Sj Sj-1 Sj-L+2 sj-L+1 S j-L Stage L-1 Stage 1 Stage 0 Output f() : nonlinear ft

  17. Design

  18. f f Synchronous Stream Cipher(I) • f : next state ft, i+1 = f(i , k), 0 : initial value • g : keystream generating ft, zi = g (i , k), k : key • h : output ft, ci = h (zi, mi) , mi : pt, zi : key stream, ci:ct i i i+1 i+1 k k g g zi zi ci ci mi mi h h-1 Decryption Encryption

  19. Synchronous Stream Cipher(II) • Keystream is independent of pt and ct • Properties • Synchronization requirement • No error propagation • Active attack • Insertion, deletion or replay will lose synchronization • Change selected ciphertext digits  Need to have integrity check mechanisms

  20. Self-Synchronous Stream Cipher(I) • i = (ci-t , ci-t+1, …, ci-1), 0 = (c-t, c-t+1, …, c-1) : initial value • g : keystream generating ft, zi = g (i , k), k : key • h : output ft, ci = h (zi, mi) , mi : pt, zi : keystream, ci : ct g k g k zi zi mi mi ci ci h h-1 Encryption Decryption

  21. Self-Synchronous Stream Cipher(II) • Keystream is independent of pt and ct • Properties • Self-Synchronization • Limited error propagation • Active attack • Difficult to detect insertion, deletion, or replay • Easy to find passive modification • More diffusion more resistant against attacks based on plaintext redundancy

  22. Nonlinear Combiner(I) LFSR 1 LFSR 2 f Keystream, z LFSR n Algebraic Normal Form (ANF) : mod. 2 sum of distinct m-th order product of its variable, 0 <= m <= n Ex) f(x1,x2,x3,x4,x5)=1 + x2+ x3 + x4 + x4x5 + x1x2x3x4, deg(f) =4

  23. x1 LFSR 1 x2 LFSR 2 Keystream, z x3 LFSR 3 Nonlinear Combiner(II) • Geffe generator • f(x1,x2,x3) = x1x2(1+x2)x3 = x1x2 x2x3 x3 • p(z) : (2L1-1) (2L2-1)(2L3-1) where L1,L2 and L3 are relatively prime • L(z) = L1L2 + L1L3 + L3 • Prob(z(t)=x1(t)) =3/4  Correlation attack is possible !

  24. Carry x1 LFSR 1 x2 LFSR 2 xn LFSR n Nonlinear Combiner(III) • Summation generator If Li and Lj are pairwise relatively prime, then p(z) = i=1n (2Li -1) LC  p(z) But vulnerable to the correlation attack of carry and 2-adic span z, keystream

  25. LFSR R2 Clock LFSR R1 LFSR R3 Clock-controlled generator(I) • Alternating step generator z, keystream R1 : de Brujin seq. of period 2L1 R2,R3 : m-seq s.t., gcd(L2, L3)=1 p(z) = 2L1 (2L2-1)(2L3-1) L(z) : (L2 + L3) 2L1-1 < L(z) <= (L2+L3) 2L1 • Best known attack is a divide-and-conquer attack on the control register R1 in 2L • L should be about 128 (de Brujin = maximal period)

  26. ai LFSR R1 Clock ai=1 bi output bi LFSR R2 discard bi ai=0 Clock-controlled generator(II) • Shrinking generator • If gcd(L1, L2) =1, p(z) = (2L2-1) 2L1-1 • L2 2 L1-2 < L(z) < L2 2 L1-1 • Best known attack takes O(2L1L23). Li is about 64

  27. Other generators • Cascade Generator • CSPRBG(Cryptographically Secure Pseudo Random Bit Generator) • RSA LSB Generator • BBS Generator (p.336) • Pseudo-noise Generator • Noise Diode or Noise Transistor • Feedback with Carry Shift Register (FCSR) • 2-adic span • Stream Ciphers: SEAL, A5, RC4, PKZIP, FISH, PIKE, etc.

  28. Correlation Attack

  29. Correlation Attack (I) • Siegenthaler, 1984 • The complexity of a Combining Generator depends on the correlation of the combining function F. • Divide-and-Conquer Attack - If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1 KSG 1 x1 KSG 2 F x2 z xn KSG n

  30. KSG 1 x1 KSG 2 F x2 z xn KSG n Correlation Attack (II) • Assume Prob(z=0|xi=0)=1/2-e, e>0 • Identify the initial vector of the KSGi by Divide and Conquer • Known ciphertext attack • Assume an initial vector of KSGi • Generate xi’ from KSGi • Compute e’=1/2- Prob(z=0|xi’=0) • If the initial vector is correct, we must have e’=e. If not, we have e0 since x’ has no correlation with z • This attack is very effective. So e must be zero.

  31. Resilient Functions • A balanced function {0,1}n{0,1}m - every possible output m-tuple is equally likely to occur • A k-resilient function f : {0,1}n{0,1}m - every possible output m-tuple is equally likely to occur when the values of k arbitrary inputs are fixed and the remaining n-k input bits are chosen independently at random. • A 0-resilient function is just a balanced function. • A k-resilient function is (k-1)-resilient. • E.g.) f(x1,x2)=x1+x2 is 1-resilient.

  32. Multi-output Stream Ciphers • To design a multi-output stream cipher based on a combining generator, we need a resilient function which • is nonlinear • has algebraic degree as large as possible (for large LC) • has nonlinearity as large as possible • has resiliency as large as possible KSG 1 KSG 2 F KSG n

  33. Summary of a Stream Cipher • Period : Depends on req’d level of security • Linear Complexity • shortest LFSR that generates a given seq. • Measure against Correlation Attack • Correlation Immune function • Nonlinear function * A5 (for GSM) crack survey: http://www.jya.com/crack-a5.htm

More Related